|
The DNS traffic on FortiGate is self-originating traffic, meaning it originated from FortiGate itself. See the administration guide for more information.
Self-originating traffic uses the exit interface IP address as the source address by default.
When this traffic tries to go over an IPsec tunnel, it fails because IPsec tunnel interfaces do not have an IP address by default.
In our example, an attempt is made to reach the DNS server on 192.168.1.58, which lies on other side of the IPsec tunnel. Upon entering it in DNS settings, it shows as unreachable:
To fix this, assign an interface IP address to the IPsec tunnel interface.
For this, go to Network -> Interfaces.
Choose the IPsec tunnel and select Edit. In the edit window, provide an IP address to the interface and remote side. Give it any IP address in a subnet that is not being used anywhere else in the environment. In this example, it will be given an IP of 192.168.101.1 to the local side and 192.168.101.2 to the remote side as shown below:
Local Side:
Remote side:
After that, if a Phase 2 selector has been in the IPsec tunnel, it is necessary to add these IP addresses in the Phase 2 selector to allow them access.
Additionally, it is necessary to add these IP addresses in the Firewall Policies if policies are in place to restrict traffic.
After that, the DNS server will start working.
|
